The Coming Security Revolution will be Messy

Within the next ten years half of today’s network security leaders will be either: 1) replaced by a new generation of leaders built upon advanced architectures; or 2) will have acquired new architectural offerings [while they still can] and evolved; or 3) be acquired by firms which have crossed the new chasm of scale and complexity: IIoT.

==================

A friend just sent me a link to a blog predicting yet another CSO/CISO year of living dangerously. It’s a safe prediction. Since the spring of 2017 (or perhaps sooner) every year has become more precarious than the previous.

With thousands of security companies and billions in public vendor market caps offering protection, we still worry. We’re more exposed than any time in cyber history. You could say we’re dumbfounded.

The exposure problem is easy to comprehend, with just three key drivers:

Escalating complexity;

Escalating scale; and

Channel/architecture/message fatigue.

Escalating Complexity

From the original network, now partially virtualized (and partially frozen in time), to the rise of the cloud and various hybrid operating models, CSOs are trapped in unprecedented layers and levels of complexity. “Divide and conquer”, the maxim of Napoleonic battle strategy, has been flipped on its head as infrastructure has become fragmented beyond recognition, and rendered ripe for the picking by bad actors with even primitive hacking tools. Billions in security vendor market caps cannot fix this. Can any organization address this without breaking up with the network security / infrastructure cartels who themselves are trapped in monetizing complexity to the detriment of their customers’ careers?

Escalating Scale

As if complexity weren’t enough, thanks to the digital transformation traditional IT networks are now converging with OT networks, adding billions of insecure devices to the internet, creating new attack vectors which are much harder to protect from exploitation. We learned this in 2017 when NotPetya and WannaCry ravaged hundreds of global entities already investing heavily in cyber protection. The IIoT evolution represents a fundamental shift in scale and complexity. And the cartels will help you “discover” your problems so they can extend the complexity addiction deeper into your organization. More vulnerabilities, more jobs, more gear needed.

Stack Fatigue

Today’s network security cartels (and their wildly successful channel partners) that evolved to create today’s infrastructure served an invaluable purpose. They brought us from mainframes to deep, computerized connectivity in a matter of a few decades. They also engineered their own obsolescence. Unprecedented scale and complexity have broken their fundamental architectures, rendering them incapable, despite billions in market valuations, in providing fundamental protection, from edge to cloud. I’ve introduced this topic via panel to the next Future in Review.

These three drivers combine to force an ongoing churn of shifting, enigmatic choices and paradoxes that will start upending balance sheets tomorrow as they upend careers today.

Today’s Architectures are Very Profitable and Obsolete

For the established security vendors it’s deeper than a messaging problem, it’s a fundamental architecture problem that leads to a messaging problem. In short, how can these leaders white paper and webinar their way out of today’s deep, destructive architectural paradox? Maybe hire a leading analyst and have him/her perform a card trick that mesmerizes CSOs for another buying cycle?

I cannot help but think of the highly profitable 1950s tobacco companies advertising the health benefits of tobacco. Today’s security vendors, in effect, could be accused of doing the same thing today, monetizing CSO career dead ends with the mantra “All you need is complexity and more and more trained security pros.” That won’t last.

Hence my prediction: Within the next ten years half of today’s network security leaders will be either: 1) replaced by a new generation of leaders built upon advanced architectures; or 2) will have acquired new architectural offerings [while they still can] and evolved; or 3) be acquired by firms which have crossed the new chasm of scale and complexity: IIoT.

The cloud needs the edge and the edge needs the cloud…

While pundits debate the edge versus the cloud (flashback reminder: the hybrid cloud debate of 2013) there will be a growing realization that the edge needs the cloud and the cloud needs the edge and both need a new vision of security and connectivity. The multi-billion cartel of today is out of sleight of hand card tricks… and a new infrastructure is needed.